Thankfully, this is just an experiment. But it is chilling, nonetheless. Money Mail has travelled to a research lab in Germany which specialises in cyber security to test the safety of the new techniques banks are using to keep crooks from raiding your accounts.

Nearly all the major firms, from Barclays to HSBC, now allow customers to log into their accounts and make payments using so-called biometrics instead of passwords. This means using your fingerprints, face, voice, retina and even vein patterns to verify your identity.

Most smartphones now offer fingerprint sensors as standard for logging in — and it's certainly easier than remembering a series of numbers and letters.

Share this article

HOW THIS IS MONEY CAN HELP

In response, banks have updated their mobile apps and telephone banking to use biometrics, claiming it's safer than traditional passwords because our unique characteristics are harder to hack.

But our tests in Germany showed the new-fangled verification software can be cracked using everyday household equipment, including a pen and glue, that can be bought for less than £45.

We broke into bank apps that are solely protected by iPhone fingerprint sensors, facial recognition software and also cracked the voice recognition used for telephone banking.

The findings are deeply disturbing because, unlike a password or PIN, you cannot swap your voice or fingerprint for a new one if you're hacked.

The faked fingerprint is seen here finished and it's good enough to fool bank security systems

SAFEGUARDS THAT LEAVE YOU AT RISK

Ben Schlabs, a security consultant at Security Research Labs in Berlin, agreed to try to break into my phone's fingerprint sensor and apps that use facial and voice recognition not to scare bank customers, but to raise awareness of weaknesses in the technology.

Security Research Labs is a respected IT security consultancy and think-tank which has worked with some of the world's biggest companies, including firms listed on Britain's FTSE 100.

Its experts try to spot security flaws in smartphone apps and payments systems to stop customers becoming victims of fraud.

Ben, a 34-year-old American, says: 'There is a huge misconception that biometrics only make our devices safer, but they add an extra window into the security wall for hackers to try to get through.'

There is a huge misconception that biometrics only make our devices safer, but they add an extra window into the security wall for hackers to try to get through

Ben Schlabs, a security consultant at Security Research Labs in Berlin

The good news is that Ben says it's unlikely criminals would spend the time and effort cloning fingerprints, irises and voices to target ordinary customers, or carry out attacks on a mass scale.

He made it look easy, but in practice, hacking takes in-depth knowledge and skill.

And so far, no customer has reported losing any money to biometrics hackers.

Even if they did, banks say they would always cover losses - as they should for all genuine fraud where the customer was not at fault.

So for now, those most at risk are likely to be the high-profile and wealthy - or someone who knows their attacker well enough for them to have access to their body and their phone.

Mr Schlabs adds: 'We need to be honest and say biometrics increases convenience and helps not having to remembering so many passwords, but to increase security significantly users would need to type in their password and scan their fingerprint as well.'

FINGERPRINT CODE CRACKED IN HOURS

The process of copying my fingerprint was achieved in less than three hours. The equipment used could all be bought on Amazon for less than £45.

Nearly all the major firms, from Barclays to HSBC, now allow customers to log into their accounts and make payments using so-called biometrics instead of passwords. This means using your fingerprints, face, voice, retina and even vein patterns to verify your identity

We leave our fingerprints smeared across our touchscreens every day, meaning phone thieves can get hold of them easily. Ben's team simply took a picture of the clearest fingerprint they could find on my phone.

For best effects, they went into a dark cupboard and used a torch so my fingerprints showed up clearer.

We won't reveal exactly how, but that picture was then transferred on to a printed copper-plated circuit board - the kind hobbyists can buy for £4 for a pack of 10 from Amazon.

Finally, Ben's team painted a cheap polyvinyl acetate glue on to the copper engraving and, after a couple of hours, peeled back the glue to reveal a near-perfect copy of my fingerprint.

By placing the glue print on his fingertip, Ben was able to press the sensor on my iPhone7 and break into my phone.

We tried this on an iPhone 6S and an iPhone 5S with the same results. Ben says the same trick can be replicated on all smartphones with fingerprint sensors.

Ben shows Louise how easy it is for criminals to hack through technologies such as fingerprint ID and face recognition

Using the cloned fingerprint, the 'hacker' was able to enter every mobile banking app I had downloaded to my phone, including NatWest and Metro Bank.

Other banks which use fingerprint technology include HSBC, Barclays and Lloyds.

Banks rely on the technology provided by the maker of the phone - in this case, Apple. So if the Android or Apple device tells the phone that the fingerprint matches, the bank allows them in.

Many banks also allow new payees to be set up and payments sent using fingerprint authorisation.

This enabled the lab to send money to a new account from my own bank account. Had this been a genuine attack, it is likely I would have been stung for more than the 1p they transferred.

To set it up, you stare into the camera on your smartphone and the Atom app captures images of your face.

While it may be possible to circumvent biometric security in a lab, this is highly technical and very difficult to scale up to make it a widespread problem

Katy Worobec, head of fraud at UK Finance

The pretend hackers found several photographs of me on Google and Twitter from my work as a journalist.

They downloaded a photograph of my face from Twitter and saved it to their own phone.

The Atom app - like many others - claims to have 'liveness' technology which can distinguish a photograph from a real person.

But this often just means the app looks for evidence of the person blinking. When the researchers opened my Atom app, it instructed them to 'just blink'.

They held up their phone with the picture of my face from Twitter and ran a pen momentarily in front of it. The app opened, tricked into interpreting the movement as blinking.

Other banks developing facial recognition security say they are using even more robust technology.

Worrying trend: Last year, software firm Adobe launched a programme called Voco, which allows you to record someone's voice and get that voice to say phrases which the person may have never said before

Lloyds has struck a deal with Microsoft's Windows 10 'Hello' Service to allow customers to log on to a computer, rather than an app, by showing their face to a camera.

This technology uses two cameras to scan a 3D image of the face, meaning the pen trick would not work.

CROOKS CAN EVEN STEAL YOUR VOICE

Our voices contain 100 or so physical and behavioural characteristics which make them unique.

Several UK banks now use this as an option for logging into apps or making payments.

For example, the Atom app asks you to repeat the same phrase each time: 'My identity is secure because my voice is my passport. Verify me.'

Other banks also use this phrase.

Some claim to be able to distinguish a recorded voice from a live voice.

But when researchers recorded me saying this phrase on their own mobile phone, standing a couple of feet away, they were able to get into my Atom app seconds later by replaying the message.

Last year, software firm Adobe launched a programme called Voco, which allows you to record someone's voice and get that voice to say phrases which the person may have never said before.

Santander UK already allows customers to make payments using their voice over the phone. HSBC and its offshoot First Direct also allow voice recognition to access their accounts.

Despite being hailed as highly secure, a BBC journalist's non-identical twin broke into his brother's account in an experiment last month.

HSBC said it would increase the sensitivity of its software.

EVEN YOUR EYEBALLS ARE NOT SECURE...

TSB has announced plans to offer Europe's first iris scanning technology to log into its mobile banking.

However, in May, German hackers claimed to have cracked iris-recognition technology in Samsung's new Galaxy S8 Smartphone.

The Berlin-based Chaos Computer Club placed a high-resolution photograph of an iris behind a contact lens and held it up the phone's camera to gain entry.

Dirk Engling, of the Chaos Computer Club, says: 'The security risk to the user from iris recognition is even bigger than with fingerprints, as we expose our irises a lot.'

Samsung insisted it would require an unlikely and 'rare combination of circumstances' to pull off such an attack, including possession of the person's phone.

Other firms are looking into so-called 'behavioural biometrics'. This includes monitoring how a user interacts with their laptop or smartphone device = everything from your mouse movements to the swiping gestures you make on a phone.

Vein recognition technology was launched in Japanese banks several years ago and is now used at ATMs in countries including Poland. The technology allows customers to press their finger on to an infra-red reader, which recognises the vein pattern just below the surface of their skin.

Now, a firm called Sthaler has started a trial in a North London bar, where customers can pay for their drinks using a bar-top finger scanner. They hope supermarkets will follow with the technology.

Futurologist and the inventor of text messaging, Dr Ian Pearson, says: 'Soon, people will complete a transaction just with a simple gesture and a few words.

'Gesturing towards someone and saying

'Here is £13.46' is enough to combine the voice and gesture recognition with the presence of your smartphone to be an electronic ID.'

Katy Worobec, head of fraud at UK Finance, says: 'While it may be possible to circumvent biometric security in a lab, this is highly technical and very difficult to scale up to make it a widespread problem.'

Ed Twiddy, chief innovation officer at Atom, says: 'Atom has decided to employ both the security inherent in the phone meaning you have to access the phone using fingerprint or passcode, but also other unrelated technology to capture face and voice biometrics from customers.

'We think this enables easy access for customers, but also creates a genuine separation between accessing the phone and accessing the bank.

'We believe that an experiment under controlled conditions, where a customer mimics themselves to gain access to their own account, is not reflective of the real-life scenarios that banks and other users of biometrics technologies are protecting customers from on a day-to-day basis.

'Any potential fraudsters would need to recreate a number of difficult circumstances.

'Even if they did succeed, we're confident our customers' money is safe, as we only offer non transactional accounts (fixed terms savings and mortgages), so money cannot be transferred out.'

A spokesman for NatWest says: 'Touch ID does not replace any of our existing controls which are in place on the mobile banking app to protect customers. [Money Mail's tests] require a fraudster to have access to the customer's mobile phone.

'If a customer's iPhone is lost or stolen they can contact us so we can suspend the mobile banking app on their phone.

'They can also use their 'find my iPhone' feature remotely to wipe the phone of any apps, including our mobile app.'

This feature allows owners to find lost or stolen iPhones, if they are switched on.

To do this you simply log onto Apple's iCloud.com website with your password and click on the 'Find your Device' button. This uses the GPS in your phone to tell you exactly where you last left it.

NatWest said it would refund fraud losses as long as the customer had kept their security information secret.